Windows Server Update Service Requirements and Configuration
Step-by-Step Guide to Getting Started with Microsoft Windows Server Update
Services
Step 1: Review
WSUS Installation Requirements:
Hardware recommendations for a server with up to 500 clients
are as follows:
· 1 gigahertz (GHz) processor
· 1 gigabyte (GB) RAM
·
Microsoft Internet Information Services (IIS)
6.0
·
Microsoft .NET Framework 1.1 Service Pack 1 for
Windows Server 2003.
·
Background Intelligent Transfer Service (BITS)
2.0
Disk Requirements:
· A minimum of 1 GB free space is
required for the system partition.
· A minimum of 6 GB free space is
required for the volume where WSUS stores content; 30 GB is recommended.
· A minimum of 2 GB free space is
required on the volume where WSUS Setup installs Windows SQL Server 2000
Desktop Engine (WMSDE).
Automatic
Updates Requirements:
Automatic Updates is the client component of WSUS. Automatic
Updates has no hardware requirements other than being connected to the network.
You can use Automatic Updates with WSUS on computers running any of the
following operating systems:
· Microsoft Windows 2000
Professional with Service Pack 3 (SP3) or Service Pack 4 (SP4),
Windows 2000 Server with SP3 or SP4, or Windows 2000 Advanced Server
with SP3 or SP4.
· Microsoft Windows XP
Professional, with or without Service Pack 1 or Service Pack 2.
· Microsoft
Windows Server 2003, Standard Edition; Windows Server 2003,
Enterprise Edition; Windows Server 2003, Datacenter Edition; or
Windows Server 2003, Web Edition.
To install WSUS on Windows Server 2003
|
1. Double-click the installer file WSUSSetup.exe.
 Note:
The latest version of WSUSSetup.exe is available on
the Microsoft Web site
for Windows Server Update Services at
http://go.microsoft.com/fwlink/?LinkId=47374.
2. On the Welcome
page of the wizard, click Next.
3. Read the terms of the license agreement carefully, click I accept the
terms of the License Agreement, and then click Next.
4. On the Select
Update Source page, you can specify where clients get updates.
If you select the Store
updates locally check box, updates are stored on the WSUS
server and you select a location in the file system to store updates. If you
do not store updates locally, client computers connect to Microsoft Update to
get approved updates.
Keep the default options, and click Next.
Select Update Source Page
5. On the Database
Options page, you select the software used to manage the WSUS
database. By default, WSUS Setup offers to install WMSDE if the computer you
are installing to runs Windows Server 2003.
If you cannot use WMSDE, you must provide a SQL Server
instance for WSUS to use, by clicking Use an existing database server on this computer
and typing the instance name in the SQL instance name box. For more information
about database software options besides WMSDE, see the “Deploying Microsoft
Windows Server Update Services” white paper.
Keep the default options, and click Next.
Database Options Page
6. On the Web
Site Selection page, you specify the Web site that WSUS will
use. This page also lists two important URLs based on this selection: the URL
to which you will point WSUS client computers to get updates, and the URL for
the WSUS console where you will configure WSUS.
If you already have a Web site on port 80, you may
need to create the WSUS Web site on a custom port. For more information about
running WSUS on a custom port, see the “Deploying Microsoft Windows Server
Update Services” white paper.
Keep the default option and click Next.
Web Site Selection Page
7. On the Mirror
Update Settings page, you can specify the management role for
this WSUS server. If this is the first WSUS server on your network or you
want a distributed management topology, skip this screen.
If you want a central management topology, and this is
not the first WSUS server on your network, select the check box, and type the
name of an additional WSUS server in the Server name box.
For more information about management roles, see the “Deploying Microsoft
Windows Server Update Services” white paper.
Keep the default option and click Next.
Mirror Update Settings Page
8. On the Ready
to Install Windows Server Update Services page, review the
selections and click Next.
Ready to Install Windows Server Update Services Page
9. If the final page of the wizard confirms that WSUS installation
was successfully completed, click Finish.
|
Step
3: Configure the Network Connection
After installing
WSUS, you are ready to access the WSUS console in order to configure WSUS and
get started. By default, WSUS is configured to use Microsoft Update as the
location to obtain updates. If you have a proxy server on your network, use the
WSUS console to configure WSUS to use the proxy server. If there is a corporate
firewall between WSUS and the Internet, you might need to configure the
firewall to ensure that WSUS can obtain updates.
Step 3 contains the following procedures:
· Configure your firewall so that
WSUS can obtain updates.
· Open the WSUS console.
· Configure proxy-server settings so
that WSUS can obtain updates.
To configure your firewall
· If there is a corporate firewall
between WSUS and the Internet, you might need to configure that firewall to
ensure that WSUS can obtain updates. To obtain updates from Microsoft Update,
the WSUS server uses port 80 for HTTP protocol and port 443 for HTTPS
protocol. This is not configurable.
· If your organization does not allow
those ports and protocols open to all addresses, you can restrict access to
only the following domains so that WSUS and Automatic Updates can communicate
with Microsoft Update:
· http://windowsupdate.microsoft.com
· http://*.windowsupdate.microsoft.com
· https://*.windowsupdate.microsoft.com
· http://*.update.microsoft.com
· https://*.update.microsoft.com
· http://*.windowsupdate.com
· http://download.windowsupdate.com
· http://download.microsoft.com
· http://*.download.windowsupdate.com
· http://wustat.windows.com
· http://ntservicepack.microsoft.com
Although the connection between Microsoft Update and WSUS
requires ports 80 and 443 to be open, you can configure multiple WSUS servers
to synchronize with a custom port
To open the WSUS
console
· On your WSUS server, click Start, point to
All Programs, point to Administrative Tools,
and then click Microsoft Windows Server Update Services
Note:
You must be a member of either the WSUS Administrators or
the local Administrators security groups on the server on which WSUS is
installed in order to use the WSUS console.
If you do not add http://<WSUS Web
site name> to the list of sites in the Local
Intranet zone in Internet Explorer on Windows Server 2003, you might be
prompted for credentials each time you open the WSUS console.
You can also open the WSUS console from Internet Explorer on
any server or computer on your network by entering the following URL: http://WSUSservername/WSUSAdmin.
To specify a proxy
server
|
1. On the WSUS console toolbar, click Options, and
then click Synchronization
Options.
2. In the Proxy
server box, select the Use a proxy server when synchronizing check
box, and then type the proxy server name and port number (port 80 by
default) in the corresponding boxes.
3. If you want to connect to the proxy server by using specific
user credentials, select the Use user credentials to connect to the proxy server
check box, and then type the user name, domain, and password of the user in
the corresponding boxes. If you want to enable basic authentication for the
user connecting to the proxy server, select the Allow basic authentication
(password in clear text) check box.
4. Under Tasks,
click Save
settings, and then click OK in the confirmation dialog box.
|
By default, WSUS is
configured to download Critical and Security Updates for all Microsoft
products. To get updates, you must synchronize the WSUS server.
Synchronization involves the WSUS server contacting
Microsoft Update. After making contact, WSUS determines if any new updates have
been made available since the last time you synchronized. Because this is the
first time you are synchronizing the WSUS server, all of the updates are
available and are ready for your approval for installation.
To synchronize your WSUS server
1. On the WSUS console toolbar, click Options, and then
click Synchronization
Options.
2. Under Tasks,
click Synchronize now
After the synchronization finishes, click Updates on the
WSUS console toolbar to view the list of updates
WSUS client computers require a compatible version of
Automatic Updates. WSUS Setup automatically configures IIS to distribute the
latest version of Automatic Updates to each client computer that contacts the
WSUS server.
The best way to configure Automatic Updates depends upon
your network environment. In an Active Directory environment, you can use an
Active Directory-based Group Policy object (GPO). In a non-Active Directory
environment, use the Local Group Policy object. Whether you use the Local Group
Policy object or a GPO stored on a domain controller, you must point your
client computers to the WSUS server, and then configure Automatic Updates.
Step 5 contains the following procedures:
· Load the WSUS Administrative
Template.
· Configure Automatic Updates.
· Point client computers to your WSUS
server.
· manually initiate detection on the
client computer.
To add the WSUS Administrative
Template
1. In Group Policy Object Editor, click either of the Administrative Templates
nodes.
2. On the Action
menu, click Add/Remove
Templates.
3. Click Add.
4. In the Policy
Templates dialog box, click wuau.adm, and then
click Open.
5. In the Add/Remove
Templates dialog box, click Close.
To configure the
behavior of Automatic Updates|
1. In Group Policy Object Editor, expand Computer Configuration,
expand Administrative
Templates, expand Windows Components, and then click Windows Update.
2. In the details pane, double-click Configure Automatic Updates.
3. Click Enabled,
and then click one of the following options:
· Notify for
download and notify for install. This option notifies a
logged-on administrative user prior to the download and prior to the
installation of the updates.
· Auto download
and notify for install. This option automatically begins
downloading updates and then notifies a logged-on administrative user prior
to installing the updates.
· Auto download
and schedule the install. If Automatic Updates is configured to
perform a scheduled installation, you must also set the day and time for the
recurring scheduled installation.
· Allow local
admin to choose setting. With this option, the local
administrators are allowed to use Automatic Updates in Control Panel to
select a configuration option of their choice. For example, they can choose
their own scheduled installation time. Local administrators are not allowed
to disable Automatic Updates.
4. Click OK.
Note:
The setting Allow local admin to choose setting only
appears if Automatic Updates has updated itself to the version compatible
with WSUS.
|
To point the
client computer to your WSUS server|
1. In Group Policy Object Editor, expand Computer Configuration,
expand Administrative
Templates, expand Windows Components, and then click Windows Update.
2. In the details pane, double-click Specify intranet Microsoft
update service location.
3. Click Enabled,
and type the HTTP URL of the same WSUS server in the Set the intranet update
service for detecting updates box and in the Set the intranet statistics
server box. For example, type http://servername
in both boxes.
4. Click OK.
Note:
If you are using the Local Group Policy object to point
this computer to WSUS, this setting takes effect immediately and this
computer should appear in the WSUS administrative console in about 20
minutes. You can speed this process up by manually initiating a detection
cycle.
|
If you want to refresh Group Policy sooner, you can go to a
command prompt on the client computer and type: gpupdate /force.
For client computers configured with the Local GPO, Group
Policy is applied immediately and it will take about 20 minutes.
Once Group Policy is applied, you can initiate detection
manually. If you perform this step, you do not have to wait 20 minutes for the
client computer to contact WSUS.
To manually
initiate detection by the WSUS server|
1. On the client computer click Start, and then
click Run.
2. Type cmd, and then click OK.
3. At the command prompt, type wuauclt.exe /detectnow.
This command-line option instructs Automatic Updates to contact the WSUS
server immediately.
|
Computer groups are an important part of WSUS deployments,
even a basic deployment. Computer groups enable you to target updates to
specific computers. There are two default computer groups: All Computers and
Unassigned Computers. By default, when each client computer initially contacts
the WSUS server, the server adds it to both these groups
Setting up computer groups is a three-step process. First,
you specify how you are going to assign computers to the computer groups. There
are two options: server-side targeting and client-side targeting.
Server-side targeting involves manually adding each computer to its group by
using WSUS. Client-side targeting involves automatically adding the clients by
using either Group Policy or registry keys. Second, you create the computer
group on WSUS. Third, you move the computers into groups by using whichever
method you chose in the first step.
You can use Step 6 to set up a test group that contains at
least one test computer.
This step contains the following procedures:
· Specify server-side targeting.
· Create a group.
· Move computers to the group
To specify the
method for assigning computers to groups|
1. On the WSUS console toolbar, click Options, and
then click Computer
Options.
2. In the Computer
Options box, click Use the Move computers task in Windows Server Update
Services.
3. Under Tasks,
click Save
settings, and then click OK when the confirmation dialog box appears.
|
To create a
group|
1. On the WSUS console toolbar, click Computers.
2. Under Tasks,
click Create
a computer group.
3. In the Group
name box, type Test, and then
click OK.
|
To manually add
a computer to the Test group|
1. On the WSUS console toolbar, click Computers.
2. In the Groups
box, click the group of the computer you want to move.
3. In the list of computers, click the computer you want to move.
4. Under Tasks,
click Move
the selected computer.
5. In the Computer
group list, select the group you want to move the computer to,
and then click OK.
|
In this step you approve an update for any test client
computers in the Test group. Computers in the group will check in with the WSUS
server over the next 24 hours. After this period, you can use the WSUS
reporting feature to determine if those updates have been deployed to the
computers. If testing goes well, you can then approve the same update for the
rest of the computers in your organization
Step 7 contains the following procedures:
· Approve and deploy an update.
· Check
the Status of Updates report
To approve and
deploy an update |
1. On the WSUS console toolbar, click Updates. By
default, the list of updates is filtered to show only Critical and Security
Updates that have been approved for detection on client computers. Use the
default filter for this procedure.
2. On the list of updates, select the updates you want to approve
for installation. Information about a selected update is available on the Details
tab. To select multiple contiguous updates, press and hold down the SHIFT key
while selecting; to select multiple non-contiguous updates, press and hold
down the CTRL key while selecting.
3. Under Update
Tasks, click Change approval. The Approve Updates
dialog box appears.
4. In the Group
approval settings for the selected updates list, click Install
from the list in the Approval
column for the Test group, and then click OK.
|
After 24 hours, you can use the WSUS reporting feature to
determine if those updates have been deployed to the computers
To check Status
of Updates report|
1. On the WSUS console toolbar, click Reports.
2. On the Reports
page, click Status
of Updates.
3. If you want to filter the list of updates, under View, select the
criteria you want to use, and then click Apply.
4. If you want to see the status of an update by computer group and
then by computer, expand the view of the update as necessary.
5. If you want to print the Status of Updates report, under Tasks,
click Print
report.
|
If the updates were successfully deployed to the Test group,
you can approve the same updates for the rest of the computers in your
organization.
Microsoft Windows Server Update Services Operations Guide
Managing Windows Server
Update Services :
Setting Up and Running Synchronizations
The Synchronization Options page is the central access
point in the WSUS console for customizing how your WSUS server synchronizes
updates. On this page, you can specify which updates are synchronized
automatically, where your server gets updates, connection settings, and the
synchronization schedule.
After you synchronize
updates to your WSUS server, you must then approve them before the WSUS server
can perform any action for them. The exceptions to this are updates classified
as Critical Updates and Security Updates, which are automatically approved for detection.
Synchronizing Updates by Product and Classification
Your WSUS server downloads updates based on the products or
product families (for example, Windows, or Windows Server 2003,
Datacenter Edition) and classifications (for example, Critical Updates or
Security Updates) that you specify. At the first synchronization, your WSUS
server downloads all of the updates available in the categories you have
specified. At subsequent synchronizations, your WSUS server downloads only the
newest updates (or changes to the updates already available on your WSUS
server) in the categories you specified.
You specify update products and classifications on the Synchronization
Options page under Products and Classifications.
Products are grouped in a hierarchy, by product family.
The default setting for Products is All
Windows Products, and for Update classifications, the
default setting is Critical Updates and Security Updates. You must specify
update classifications individually.
To specify
update products and classifications for synchronization|
1. On the WSUS console toolbar, click Options, and
then click Synchronization
Options.
2. Under Products
and Classifications, under Products, click Change.
3. In the Add/Remove
Products dialog box, under Products, select
the products or product families for the updates you want your WSUS server to
synchronize, and then click OK.
4. Under Products
and Classifications, under Update classifications,
click Change.
5. In the Add/Remove
Classifications dialog box, in Classifications,
select the update classifications for the updates you want your WSUS server
to synchronize, and then click OK.
6. Under Tasks,
click Save
settings, and then click OK.
Note
If you want to stop synchronizing updates for
one or more specific products or product families, clear the appropriate
check boxes in the Add/Remove
Products dialog box, and then click OK. Your WSUS
server will stop synchronizing new updates for the products you have cleared.
However, updates that were synchronized for those products before you cleared
them will remain on your WSUS server and will be available on the Updates
page.
|
Configuring the Update Source:
The update source is the location from which your WSUS
server gets its updates and update information (metadata). You can specify that
the update source be either Microsoft Update or another WSUS server (in this
scenario, the WSUS server that acts as the update source is the upstream
server, and your server is the downstream server).
To specify the
update source for your WSUS server|
1. On the WSUS console toolbar, click Options, and
then click Synchronization
Options.
2. Under Update
Source, do one of the following:
· If
you want your WSUS server to synchronize directly from Microsoft Update,
click Synchronize
from Microsoft Update. If your server is running in replica
mode, this option will is disabled. For more information, see Running in
Replica Mode.
· If
you want to synchronize from another WSUS server in your network, click Synchronize
from an upstream Windows Server Update Services server, and then
type the server name and port number in the corresponding boxes.
· If
you want to use Secure Socket Layers (SSL) when synchronizing update
information (metadata) synchronization, type the port number that the
upstream server uses for SSL connections, and then select the Use SSL when synchronizing
update information check box. For more information about using
SSL during synchronization, see Securing Windows Server Update Services.
· If
your WSUS server is running in replica mode, you just need to type the server
name in the Server
name box. The upstream server does not have to be the
administration server (for example, it can be another replica mode server).
For more information about replica mode, see Running in
Replica Mode.
3. Under Tasks,
click Save
settings, and then click OK.
|
Synchronizing Manually or Automatically
You can either synchronize your WSUS server manually or
specify a time for it to synchronize automatically on a daily basis.
To synchronize
your server manually|
1. On the WSUS console toolbar, click Options, and
then click Synchronization
Options.
2. Under Schedule,
click Synchronize
manually.
3. Under Tasks,
click Save
settings, and then click OK.
|
To synchronize
your WSUS server immediately|
1. On the WSUS console toolbar, click Options, and
then click Synchronization
Options.
2. Under Tasks,
click Synchronize
now.
|
To set up an
automatic synchronization schedule|
1. On the WSUS console toolbar, click Options, and
then click Synchronization
Options.
2. Under Schedule,
click Synchronize
daily at, and then in the list select the time you want
synchronization to start each day.
3. Under Tasks,
click Save
settings, and then click OK.
|
Managing Computers and Computer Groups :
The following are common tasks you can perform on the Computers
page. Before you can add a computer to a computer group,
To view the
properties for a computer|
1. On the WSUS console toolbar, click Computers.
2. In Groups,
click the computer group to which the computer currently belongs to.
3. In the list of computers, click the computer for which you want
to view properties.
4. In the properties pane, do either of the following:
· Click
the Details
tab for general information about the computer.
· Click
the Status
tab for approval and update status for the computer.
|
To add a
computer to a computer group|
1. On the WSUS console toolbar, click Computers.
2. In Groups,
click the computer group to which the computer currently belongs.
3. In the list of computers, click the computer that you want to
move.
4. Under Tasks,
click Move
selected computer.
5. In the Computer
group dialog box, click the computer group that you want to
move the computer to, and then click OK.
Note
If your computer already belongs to a computer group, then
after you perform this task it will belong to the new computer group you
specify and not to the earlier computer group. However, it will remain a
member of the All Computers group.
|
To remove a
computer from a WSUS server|
1. On the WSUS console toolbar, click Computers.
2. In Groups,
click the computer group to which the computer currently belongs to.
3. In the list of computers, click the computer you want to remove.
4. Under Tasks,
click Remove
the selected computer, and then click OK.
Note
After you perform this task, you will not be able to
manage update distribution for the client computer on the WSUS console, nor
will the client computer will not be able to receive updates from the WSUS
server.
|
Managing Computer Groups
WSUS enables you to target updates to groups of client
computers. This capability can help you ensure that specific computers get the
right updates at the most convenient times on an ongoing basis.
You can assign computers to computer groups by using one of
two methods, server-side or client-side targeting,
depending on whether or not you want to automate the process. With server-side
targeting, you use the Move the selected computer task on the Computers
page to move one or more client computers to one computer group at a time. With
client-side targeting, you use Group Policy or edit the registry settings on
client computers to enable those computers to automatically add themselves into
the computer groups. You must specify which method you will use by selecting
one of the two options on the Computers Options page.
Server-side
Targeting
With server-side targeting, you use the WSUS console to both
create groups and then assign computers to the groups. Server-side targeting is
an excellent option if you do not have many client computers to update and you
want to move client computers into computer groups manually.
To enable server-side targeting on your WSUS server, click
the Use the Move computers task in Windows Server Update Services
option on the Computers Options page.
Client-side
Targeting
With client-side targeting, you enable client-computers to
add themselves to the computer groups you create in the WSUS console. You can
enable client-side targeting through Group Policy (in an Active Directory
network environment) or by editing registry entries (in a non-Active Directory
network environment) for the client computers. When the client computers
connect to the WSUS server, they will add themselves into the correct computer
group. Client-side targeting is an excellent option if you have many client
computers and want to automate the process of assigning them to computer
groups.
To enable client-side targeting on your WSUS server, click
the Use Group Policy or registry settings on client computers
option on the Computers Options page.
To specify the
method for assigning computers to groups|
1. On the WSUS console toolbar, click Options, and
then click Computer
Options.
2. In Computer
Options, do one of the following:
· If
you want to create groups and assign computers through the WSUS console
(server-side targeting), click Use the Move computers task in Windows Server Update
Services.
· If
you want to create groups and assign computers by using Group Policy or by
editing registry settings on the client computer (client-side targeting),
click Use
Group Policy or registry settings on computers.
3. Under Tasks,
click Save
settings, and then click OK.
|
To create a
computer group in the WSUS console|
1. On the WSUS console toolbar, click Computers.
2. Under Tasks,
click Create
a computer group.
3. In Group
name, type a name for your new computer group, and then click OK.
|
To remove a
computer group
1. On the WSUS console toolbar, click Computers.
2. In Groups,
click the computer group you want to remove.
3. Under Tasks,
click Delete
the selected group, and then click OK.
Managing
Updates
Updates Overview
Updates are used for patching or providing a full file
replacement for software that is installed on a computer. Every update that is
available on Microsoft Update is made up of two components
· Metadata provides
information about the update. For example, metadata supplies information for
the properties of an update, thus enabling you to find out what the update is
useful for. Metadata also includes end-user license agreements (EULAs). The
metadata package downloaded for an update is typically much smaller than the
actual update file package.
· Update files are
the actual files required to install an update on a computer.
How WSUS Stores Updates
When updates are synchronized to your WSUS server, the metadata
and update files are stored in two separate locations. Metadata is stored in
the WSUS database. Update files can be stored either on your WSUS server or on
Microsoft Update servers, depending on how you have configured your
synchronization options. If you choose to store update files on Microsoft
Update servers, only metadata is downloaded at the time of synchronization; you
approve the updates through the WSUS console, and then client computers get the
update files directly from Microsoft Update at the time of installation.
Viewing Updates
View the list of updates. The list of updates displays
updates that have been synchronized from the update source to your server
running Windows Server Update Services (WSUS) and are available for approval.
To open the
Updates page|
· On the WSUS console toolbar,
click Updates.
|
To view updates|
1. On the WSUS console toolbar, click Updates. Updates
are displayed in the list of updates.
2. To sort by additional information, download status, title,
classification, release date, or approval status, click the appropriate
column heading.
|
To filter the
list of updates displayed on the Updates page|
1. On the WSUS console toolbar, click Updates.
2. Under View,
select the appropriate criteria for your filter in the list boxes, and then
click Apply.
The list of updates will reflect your chosen criteria. The Contains Text
box, under View,
enables you to enter text to search on the following criteria for an update: Title,
Description,
and Microsoft Knowledge Base (KB) article number. Each of these items is a
property listed on the Details
tab in the update properties.
|
Approving Updates
After updates have been synchronized to your WSUS server,
you must approve them to initiate a deployment action. When you approve an
update, you are essentially telling WSUS what to do with it (for example, your
choices are Install, Detect only, Remove, or Decline
update). When approving an update, you specify a default approval
setting for the All Computers group, and any necessary settings for
each computer group in the Approve Updates dialog box. If
you do not approve an update, its approval status remains Not approved
and your WSUS server performs no action for the update. The exceptions to this
are in the Critical Updates and Security Updates
classifications, which by default are automatically approved for detection
after they are synchronized.
To approve
updates for detection|
1. On the WSUS console toolbar, click Updates.
2. In the list of updates, click one or more updates that you want
to approve for detection.
3. Under Update
Tasks, click Change approval.
4. In the Approve
Updates dialog box, verify that Approval is set
to Detect
only for the All Computers group.
5. If you want to set a different default approval setting for one
or more groups, under Group
approval settings for the selected updates, find the group(s)
for which you want to set the special approval setting, and then, in the Approval
column, select an approval setting.
|
Approving Updates for Installation
You can select one or multiple updates; if you select
multiple updates, you can approve them for installation at once; you can also
approve installation by computer group. This would be the Install approval
option in the Approve Updates dialog box. In addition, when you
specify this approval action, you can do one of the following:
·
When you select this option, users in the
targeted computer group will receive a notification dialog box and an Automatic Updates
icon on their taskbar when updates are ready to be installed on their
computers. They can then install the updates immediately, or at a later time,
by clicking the Automatic
Updates icon. If you have configured Automatic Updates, either by
Group Policy or locally, to notify the user before installation, these
notifications will be offered to any non-administrator who logs onto the
computer in the targeted computer group
Important
·
You cannot set a deadline for automatic
installation for an update if user input is required (for example, accepting a
license agreement or specifying a setting relevant to the update). If you set a
deadline for such an installation synchronization will fail. To determine
whether an update will require user input, look at the May request user input
field in the update properties for an update displayed on the Updates page. Also
check for a message in the Approve Updates box which says "The selected
update requires user input and does not support and installation deadline."
To approve
updates for installation|
1. On the WSUS console toolbar, click Updates.
2. In the list of updates, click one or more updates that you want
to approve for installation.
3. Under Update
Tasks, click Change approval.
4. In the Approve
Updates dialog box, verify that Approval is set
to Install
for the All Computers group.
5. To specify how and when the update will be installed for
computers in the computer group, next to Deadline, click None,
and then click one of the following options:
· If
you want to enable users to determine when to install the updates, click Use client
settings to determine update installation time, and then click OK.
If you have configured Automatic Updates, either by domain-based or local
Group Policy, to notify the user before installation, these notifications
will be offered to any non-administrator who logs onto the computer in the
targeted computer group.
· If
you want the update to be installed automatically, click Install the update by the
selected date and time, specify the date and time of the
deadline, and then click OK. If you want the install to occur
immediately (that is, when the client computers next contact the WSUS
server), you can specify a past date for the deadline.
6. If you want to set a different default approval setting for one
or more groups, under Group
approval settings for the selected updates, find the group(s)
for which you want to set the special approval setting, and then, in the Approval
column, click an approval setting.
Declining Updates
This
option is available as a task under Update Tasks on the Updates page. If you
select this option, the update is removed from the list of available updates.
Declined updates will appear in the updates list only if you select either Declined or All updates in the Approval list when
specifying the filter for the update list under View.
To decline
updates
Approving Updates for
Removal
You can approve an update for
removal (that is, approve uninstalling the update). This option is only
available if the update supports uninstalling, and you would choose the Remove approval
option in the Approve
Updates dialog box.
To approve
updates for removal
Approving Updates
Automatically
On the Automatic Approval Options
page, you can configure your WSUS server to automatically approve
installation or detection for updates and associated metadata when they are
downloaded to the WSUS server during synchronization. This is different from
approving
|
To
automatically approve updates for detection|
1. On the WSUS console toolbar, click Options, and
then click Automatic
Approval Options.
2. In Updates,
under Approve
for Detection, select the Automatically approve updates
for detection by using the following rule check box (if it is
not already selected).
3. If you want to specify update classifications to automatically
approve during synchronization, do the following:
· Next
to Classifications,
click Add/Remove
Classifications.
· In
the Add/Remove
Classifications dialog box, select the update classifications
that you want to automatically approve, and then click OK.
4. If you want to specify the computer groups for which to
automatically approve updates during synchronization:
· Next
to Computer
groups, click Add/Remove Computer Groups.
· In
the Add/Remove
Computer Groups dialog box, select the computer groups for
which you want to automatically approve updates, and then click OK.
5. Under Tasks,
click Save
settings, and then click OK.
|
To
automatically approve updates installation|
1. On the WSUS console toolbar, click Options, and
then click Automatic
Approval Options.
2. In Updates,
under Approve
for Installation, select the Automatically approve updates
for installation by using the following rule check box (if it
is not already selected).
3. If you want to specify update classifications to automatically
approve during synchronization, do the following:
· Next
to Classifications,
click Add/Remove
Classifications.
· In
the Add/Remove
Classifications dialog box, select the update classifications
that you want to automatically approve, and then click OK.
4. If you want to specify the computer groups for which to
automatically approve updates during synchronization:
· Next
to Computer
groups, click Add/Remove Computer Groups.
· In
the Add/Remove
Computer Groups dialog box, select the computer groups for
which you want to automatically approve updates, and then click OK.
5. Under Tasks,
click Save
settings, and then click OK.
|
Automatically Approving Revisions to Updates
The Automatic Approval Options page contains an option to
automatically approve revisions to existing updates as they become available.
This option is selected by default. A revision is a version of an update that
has changes (for example, it might have expired, or have an updated EULA, UI
text, or applicability rules for computers). If you configure your WSUS server
to automatically approve new revisions of an update but an expired revision for
the update is synchronized, your WSUS server will automatically decline the
update. If you choose not to automatically approve the revised version of an
update, your WSUS server will use the older revision, and you must manually
approve the update revision.
To
automatically approve revisions to updates|
1. On the WSUS console toolbar, click Options, and
then click Automatic
Approval Options.
2. Under Revisions
to Updates, click Automatically approve the latest revision of the update.
3. Under Tasks,
click Save
settings, and then click OK.
|
Recommended Process for Approving a Superseding
Update
Because a superseding update typically enhances a fix
provided by a previously released, superseded update, it is recommended that
you first see how many client computers will be compliant with the new update,
and work backward from there. Use the following process.
To approve a
superseding update|
1. Approve the superseding update for Install on all
computers where the fix provided by the update is appropriate.
2. Check the resulting status of the approval action on your
computers. Note which computers show status as Not needed for
the update, and then compare the properties of those computers with the
properties of the update.
3. Use the information available in the update properties to help
you determine which previously released version of the updates are available.
For example, look under Supersedes on the Details tab, and
check the Description
and KB
article number entries if appropriate.
4. Get information about the superseded, previously released
versions of the updates; for example, view their properties.
5. When you find a superseded update that seems appropriate for the
remaining client computers, approve the update for installation.
6. Repeat this process until all of your client computers are
updated with the intended fix.
|
Approving Office Updates
If you use WSUS to update Microsoft Office on your network
computers, consider the following:
· If you have purchased a "per
user" license agreement for Office, you must ensure that each user's
installation of Office is updated (for example, there might be two users who
run individually licensed copies of Microsoft Office on the same computer).
This means a particular user has to be logged on to the computer for that
specific copy of Office to be updated. For example, if two people both have
accounts on a computer that is running Microsoft Office, then each of them has
to log on and update his or her Office installation, otherwise one of them will
not have an updated version of Office.
· Users can access the public
Microsoft Office Online Web site and can look for updates to their Office
installation through the Microsoft Office Update wizard. Using Group Policy,
you might want to create policies that prevent users from getting their own
Office updates from Microsoft Office Online.
· Unlike Windows Update or Microsoft
Office Online, which are public Web sites that users can visit directly,
Microsoft Update is accessed only by WSUS servers. It is currently in beta
release and makes security updates available only for Office XP and
Office 2003. Some critical updates are not available through Microsoft
Update. Therefore, some updates might appear on the Microsoft Office Online Web
site that are not available on Microsoft Update.
Approving SQL Server and Exchange Server Updates
Updating Microsoft SQL Server Instances
Your installations (instances) of Microsoft SQL Server on
one computer can possibly get complex, because you can enable any of the
following SQL Server scenarios:
· Multiple instances of SQL server on
the computer at the same time.
· Multiple versions (releases) of
SQL.
· SQL Server instances in multiple
languages on the same computer.
· Typically, there is nothing extra you have to do to
update these multiple instances; you just need to make sure that when you
specify your synchronization options (for example, product, update
classifications, and language options), you account for requirements for the
versions of the SQL Server instances you have on the computer.
To specify
where to store downloaded update files|
1. On the WSUS console toolbar, click Options, and
then click Synchronization
Options.
2. Under Update
Files and Languages, click Advanced.
3. Under Update
Files, select whether to store update files on the server
running Windows Server Update Services (WSUS) or on Microsoft Update. If you
choose to store update files on your server, you can choose either to
download update files only when they are approved, or to download express installation
files.
4. If you selected to store the files on the WSUS server, under Languages,
select whether you want to limit the updates downloaded to your WSUS server
by language, and then click OK. Note that if you select to download all
languages (which is selected by default) that this will take more disk space.
If possible, consider limiting the languages you download if you are also
choosing to store update files on your WSUS server.
5. In Tasks,
click Save
settings, and then click OK.
Note
If your WSUS server is running in replica mode, you will
not be able to perform this task. For more information about replica mode,
see Running in
Replica Mode.
|
To change the
location of local WSUS update storage|
1. Click Start,
and then click Run.
2. In the Open
box, type cmd, and then click OK.
3. At the command prompt, navigate to the directory that contains
WSUSutil.exe.
4. Type the following, and then press ENTER:
wsusutil.exe
movecontent contentpath logfile
[-skipcopy]
For example, type:
wsusutil.exe
movecontent D:\WSUS1\ D:\move.log
where D:\WSUS1 is the new path for local WSUS update
storage, and D:\move.log is the path to the log file.
Managing the Databases
|
Comments
Post a Comment